fix(watchdog): add s3:ListBucket on _alerts/_dedup prefix (L295)#331
Merged
Conversation
alpha_engine_lib.alerts.publish's S3-backed dedup uses HeadObject + conditional PUT semantics that require s3:ListBucket on the bucket itself (scoped via the s3:prefix condition). The watchdog role previously had only s3:GetObject + s3:PutObject on the dedup-marker prefix; the missing ListBucket caused dedup probes to error with AccessDenied, and the lib's fail-safe-to-publish path correctly fired the alert anyway — but with dedup non-functional, every cron firing during a persistent outage re-paged the operator instead of collapsing under the 12h dedup window. The grant is scoped by an s3:prefix Condition to ``_alerts/_dedup`` + ``_alerts/_dedup/*`` so the watchdog can't enumerate other prefixes on the bucket. Mirrors the alpha-engine-data #327 (L258) precedent where ArcticDBSmokeListBucket added the same Condition-scoped grant for the OIDC role's ArcticDB smoke. Applied via ``aws iam put-role-policy`` against ``alpha-engine-pipeline-watchdog-role`` (verified live). The deploy.sh already re-applies the policy on every run, so the codified change is in lockstep with the live state. ROADMAP L295 (P2, 2026-05-26 PM audit finding). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
`alpha_engine_lib.alerts.publish`'s S3-backed dedup uses HeadObject + conditional PUT semantics that require `s3:ListBucket` on the bucket itself (scoped via `s3:prefix` condition). The watchdog role previously had only `s3:GetObject` + `s3:PutObject` on the dedup-marker prefix; the missing ListBucket caused dedup probes to error with AccessDenied, and the lib's fail-safe-to-publish path correctly fired the alert anyway — but with dedup non-functional, every cron firing during a persistent outage re-paged the operator instead of collapsing under the 12h dedup window.
Scoping
The grant is scoped by an `s3:prefix` Condition to `_alerts/_dedup` + `_alerts/_dedup/*` so the watchdog can't enumerate other prefixes on the bucket. Mirrors the alpha-engine-data #327 (L258) precedent where `ArcticDBSmokeListBucket` added the same Condition-scoped grant.
Live state
Already applied via `aws iam put-role-policy` against `alpha-engine-pipeline-watchdog-role` — verified live. The deploy.sh re-applies the policy on every run, so the codified JSON is in lockstep with AWS.
Test plan
ROADMAP L295 (P2, 2026-05-26 PM audit finding).
🤖 Generated with Claude Code